3. Problem Description

a. OpenSSL update for multiple products.

OpenSSL libraries have been updated in multiple products to versions 0.9.8za and 1.0.1h in order to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to these issues. The most important of these issues is CVE-2014-0224.

CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to be of moderate severity. Exploitation is highly unlikely or is mitigated due to the application configuration.

CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL Security Advisory (see Reference section below), do not affect any VMware products.

CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server is running a vulnerable version of OpenSSL 1.0.1 and clients are running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating the server will mitigate this issue for both the server and all affected clients.

CVE-2014-0224 may affect products differently depending on whether the product is acting as a client or a server and of which version of OpenSSL the product is using. For readability the affected products have been split into 3 tables below, based on the different client-server configurations and deployment scenarios.

MITIGATIONS

Clients that communicate with a patched or non-vulnerable server are not vulnerable to CVE-2014-0224. Applying these patches to affected servers will mitigate the affected clients (See Table 1 below).

Clients that communicate over untrusted networks such as public Wi-Fi and communicate to a server running a vulnerable version of OpenSSL 1.0.1. can be mitigated by using a secure network such as VPN (see Table 2 below).

Clients and servers that are deployed on an isolated network are less exposed to CVE-2014-0224 (see Table 3 below). The affected products are typically deployed to communicate over the management network.

RECOMMENDATIONS

VMware recommends customers evaluate and deploy patches for affected Servers in Table 1 below as these patches become available. Patching these servers will remove the ability to exploit the vulnerability described in CVE-2014-0224 on both clients and servers.

2014-07-18 VMSA-2014-0006.8Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.5.1.1 and vSphere Replication 5.5.1.1 on 2014-07-17

2014-07-22 VMSA-2014-0006.9Updated security advisory in conjunction with the release of patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 on 2014-07-22

2014-09-09 VMSA-2014-0006.10Updated security advisory in conjunction with the release of patches for ITBM Standard 1.1, vSphere Replication 5.8 and vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric Application Director has been removed from the table above as it is not affected by this issue.

2014-10-09 VMSA-2014-0006.11Updated security advisory in conjunction with the release of vSphere Data Protection 5.5.7 on 2014-10-09